Conn. dealership group teaches cyber security

Christine Pakutka, director of business advancement and technology at Hoffman Auto Group, and Matt Kozloski, vice president of professional services at Kelser Corporation, a cyber security and information-technology consulting firm.

With so many high-profile security breaches at major businesses and organizations in the past year, Christine Pakutka figured the 550 or so employees at Hoffman Auto Group in East Hartford, Conn., would be pretty savvy about phishing emails that try to steal information.

As it turns out, Pakutka, the dealership group's director of business advancement and technology, was about 84 percent correct.

That was revealed in May when Hoffman management sent an email to nearly all employees at its nine dealerships selling Audi, BMW, Ford, Honda, Lexus, Lincoln, Nissan, Porsche and Toyota vehicles. The email, which had Pakutka's usual signature and the Hoffman Group logo at the bottom, asked them to click a link to change their dealership management system passwords in the wake of a possible security breach.

After the email was distributed, Pakutka waited to see what would transpire. "It was both interesting and nerve-wracking — I was a little anxious," she said.

The results were unexpected: About 90 employees — or 16 percent — clicked on the link.

"All they got was a blue screen on their monitor," Pakutka said. "Then I got a lot of phone calls."

She was surprised at the number who clicked the link.

"A lot of people who don't even use our DMS clicked on it," Pakutka said. "I was hoping for better results. But it's better to find out and know for sure."

Phishing expedition

Hoffman Auto Group in East Hartford, Conn., tested employees' awareness of online security by sending an email that invited workers to click on a link, a tactic sometimes used by cybercriminals.

The phishing simulation gave Hoffman, owned by brothers Jeffrey and Bradley Hoffman, the chance to educate those employees on what to do — and not to do. The exercise was recommended by Kelser Corp., a cybersecurity and information technology consultant hired by the dealership group. Though a security breach had never occurred at Hoffman, which has annual sales of 5,500 new vehicles and 3,000 used vehicles, Pakutka wanted to assess what employees knew.

"We've been in business since 1921, and everything is stored on our networks — sensitive data that needs to be protected," she said. " 'Driven by trust' is our slogan, so it's very important for us to be true to that and keep everyone's information safe, for both our customers and our employees."

Kelser is one of several companies that can help dealership groups stage such tests. More dealers are putting phishing simulations in place as concerns about Internet fraud mount. Some even distribute phishing emails monthly that use a different purported sender and link to click on each time.

If a business hasn't done a test before, as many as 80 percent of employees will click on a bad link and up to 50 percent of those will give up sensitive information, said Matt Kozloski, vice president of professional services at Kelser.

"It's mind-boggling," Kozloski said. "But then again, you have to keep in mind that it's these [cyber] criminals' job to trick employees into doing things they shouldn't do. We actually have someone on our staff that can craft emails that are virtually indistinguishable from a company's real emails."

It's a sobering experience for employees. At Hoffman, they were more embarrassed than mad, Pakutka said.

On the lookout

"Many employees came to me and said, 'But the email came from you!' " Pakutka said. "But it definitely raised awareness. Now when they receive something suspicious, they first ask about it. … They're on the lookout and questioning things more, so it's been a positive experience for us."

Online training on Internet fraud prevention is part of such phishing simulations. Talking with employees about how important their role is in cybersecurity is critical to a maintaining security, Kozloski said. But it's also important to keep the tone lighthearted in the aftermath of a test.

"You want it to feel important, but you should also try to have a little fun with it as opposed to being punitive about it because some employees made a mistake," he said.

"But if there are consecutive failures by certain employees and you observe that they're also not doing the monthly online training, that's an employee-performance problem that should be discussed with a manager or someone from human resources."

Phishing exercises also should be staggered so employees don't develop an "it's-the-second-Tuesday-of-the-month-so-this-must-be-a-test" mentality, Kozloski said. And it's fine to do them in fairly quick succession.

On that note, could another test be in the works at Hoffman? Pakutka would neither confirm or deny the possibility, saying, "We want to keep people on their toes."